Wiki

The E3533 HSPA+ USB stick is a USB type-A device with a single SIM slot. The E3533 appears to use a HiSilicon chipset. It has an external antenna connector inside of thecase which is not exposed to the end user without disassembly. The E3533 costs around 35 Euro at Media Markt unlocked and without ties to a specific carrier. The E3531 is usually available for 15 Euro locked to O2 and it requires ID to purchase because of the included SIM card.

Upon insertion lsusb reports:

Bus 001 Device 115: ID 12d1:157d Huawei Technologies Co., Ltd.

The dmesg entries generated on first insert show an emulated CD-ROM and a cdc_mbim device:

It is possible to enable a currently undocumented two serial port mode from the single serial port mode.While configured in debug mode, open /dev/ttyUSB0 and issue the AT^GOADLOAD command. This will close /dev/ttyUSB0 and open two other /dev/ttyUSB0 and /dev/ttyUSB1 devices. Neither device responds to the AT command set.

The cdc_ethernet mode creates an ethernet device on your computer. It is possible to change the MAC address of the presented cdc_ethernet device with ip and ifconfig as if it were a normal ethernet device. Using DHCP on this interface will result in being assigned an address in the 192.168.8.100-254 range. The default route is 192.168.8.1. The device itself has a clock which is exposed in ICMP, DHCP, and HTTP requests. They're not all in sync.

Depending on the mode of operations, different AT commands are available - the default three serial port mode is restricted and the single serial port debug mode appears to allow many additional commands.

Firmware is available as an OTA update from within the web interface. It is possible to query for a firmware update and the device will connect to a Huawei webserver to see if there are firmware updates. The update process is currently undocumented.

In each E3533 firmware examined, the firmware contains a VxWorks kernel, an Android kernel, multiple YAFFS file systems, and an ISO which is presented as the emulated CD-ROM. The firmware format is not yet documented. It is possible to use binwalk to extract files and information.

A number of strange cargo cult websites offer a bunch of non-free software to help reflash firmware, "reconfigure", or "unlock" the E3533 or similar devices. Some of this software should provide a basis for reverse engineering the flashing process and possibly provide information about the format or the firmware structure.